Manager, Security Analytics & Operations

Your opportunity

At Charles Schwab, our purpose is simple: we champion client’s goals with passion and integrity. Guided by honesty, mutual respect and a commitment to doing what’s right, we bring innovation, education, and service together to help shape financial futures. Our people are the foundation of our success – they approach their work with curiosity and collaboration, coming together to create solutions that make a meaningful impact for clients and communities. As we expand into India, we are bringing this same culture of inclusion, learning, and opportunity to new talent. Joining us means becoming part of a global team where your work matters and your future can take shape.​

Our Hyderabad location is central to Schwab’s growth, bringing together talented people and technology to drive innovation, scale and efficiency. Here, you will work alongside teams who create solutions that support millions of clients every day. The work you do is more than daily operations – it’s a chance to experiment, learn, and build within a values-driven, supportive environment. This is a unique opportunity to be part of our early growth phase and shape something new, backed by the stability and strength of a Fortune 500 company. Your impact begins on day one, and your contributions will help define our future in the region​

The SOC Team Lead is a tactical leader who bridges technical expertise and leadership within the SOC. Often considered a “player-coach,” the Team Lead manages the day-to-day operations of the SOC team, ensuring that incident response processes run smoothly during their shift. This role involves coordinating analysts’ activities, acting as the primary escalation point for complex incidents, and maintaining quality control over how incidents are handled and documented. The Team Lead still engages in hands-on incident response when necessary, but also focuses on mentoring analysts and improving operational processes. In a financial industry SOC, the Team Lead pays special attention to adherence to regulatory requirements and internal policies in all SOC activities, since consistent process is critical for both security.

Key Responsibilities:

• Operational Oversight: Manage and oversee real-time SOC operations during assigned shifts. This includes monitoring the flow of alerts and ongoing incidents, ensuring that all incoming security events are promptly assigned and addressed by the team. Balance workloads among analysts and maintain overall situational awareness of the organization’s security posture at all times.
• Incident Command & Escalation: Serve as the primary escalation point for incidents that go beyond Tier 1 or an individual analyst’s expertise. For high-severity or widespread incidents, act as the Incident Commander, coordinating response efforts, making real-time decisions on containment strategies (such as system isolation or shutdowns), and communicating status updates to management. Step in to directly handle or support particularly critical incidents alongside the team.
• Quality Assurance: Ensure quality control of the team’s incident handling and documentation. Review analysts’ incident reports and evidence to verify accuracy, thoroughness, and compliance with SOC procedures. Ensure that all required steps (analysis, containment, notification, etc.) are taken for each incident and that escalations include all necessary information.
• Shift Handoffs: Conduct and document shift handover meetings at the start and end of shifts. Clearly communicate any ongoing incidents, recent critical events, and operational issues to incoming Team Leads and analysts. Make sure there is a seamless transition so that active investigations continue without delay or information loss.
• Performance & Metrics: Track SOC performance metrics (e.g., Mean Time to Acknowledge/Investigate/Close incidents, number of alerts handled, false positive rates). Use these metrics to identify bottlenecks or areas for improvement. Provide regular updates to the SOC Manager on the team’s performance and any resource or process issues
• Training & Development: Mentor and train SOC analysts to improve their skills. Conduct on-the-job training sessions, debrief significant incidents to extract lessons learned, and ensure analysts are familiar with new threats, technologies, and changes in procedures. Assist with onboarding new team members and promote knowledge sharing within the team.
• Process Improvement: Update and optimize SOC processes and documentation.
• Proactively identify inefficiencies or gaps in playbooks and standard operating procedures, and recommend enhancements. Work with the SOC Manager to implement new tools or updated workflows (such as new SOAR playbooks or reporting templates) to increase team efficiency and consistency
• Tool and Environment Management: Ensure all SOC tools and systems are functional and being effectively utilized by the team. Coordinate with IT or engineering teams to fix any outages or performance issues in monitoring tools (SIEM, EDR, etc.). Verify that data feeds (logs, alerts) are flowing properly and that analysts have the technical resources needed to do their jobs.
• Compliance & Readiness: Support the SOC Manager in enforcing organizational security policies and regulatory compliance in daily operations. This includes confirming that the team’s incident handling and documentation meet standards required for audits or industry regulations, which is especially critical in financial services. Drive readiness by organizing routine drills or simulations (e.g., incident response tabletop exercises) to ensure the team is prepared for various cyber scenarios.

What you have

Required Qualifications:

• Experience: 5+ years of experience in cybersecurity operations or incident response, with at least 2–3 years in a senior SOC analyst or similar role. The candidate should have a demonstrated ability to handle high-severity incidents and lead others. Prior experience in a team lead, technical lead, or supervisory capacity is strongly preferred.
• Technical Proficiency: Advanced hands-on experience with SOC tools and processes. This includes expertise in using SIEM and EDR tools for analysis and an understanding of SOAR(Security Orchestration, Automation, and Response) platforms for workflow automation. In depth familiarity with incident response procedures (containment, eradication, recovery) as formalized in frameworks like NIST or SANS. Able to step in and perform any analyst task (from triage to deep forensic analysis) if needed.
• Leadership Skills: Proven track record of coordinating team activities or leading small teams during critical operations. This could be evidenced by experience as a senior analyst who has taken charge during incidents or mentored junior staff. Strong organizational skills to manage 24/7 shift scheduling and ensure coverage.
• Communication: Excellent communication and interpersonal skills. Capable of effectively communicating with technical team members, as well as translating technical issues into actionable information for managers. Ability to provide clear guidance under pressure is essential for managing live security incidents.
• Certifications: Recognized credentials demonstrating both technical depth and leadership potential. Examples include advanced technical certs like SANS GCIA, GCIH (or similar) to validate incident handling expertise, and broad security management or professional certifications such as CISSP (Certified Information Systems Security Professional) or CISM (Certified Information Security Manager) to indicate knowledge of governance and leadership in security operations

Preferred Qualifications:

• Financial Sector Experience: Work history in a 24/7 financial industry SOC or other highly regulated environments. This experience implies familiarity with compliance requirements (e.g., understanding regulatory mandates for incident reporting, audit trails, or data privacy) and typical threat actors targeting financial institutions.
• Process/Playbook Development: Experience in developing or refining incident response playbooks, standard operating procedures, or use cases for security monitoring.
• A background in optimizing SOC processes or implementing quality assurance programs in an operations environment is a plus. SOAR and Automation Expertise: Hands-on experience configuring or using SOAR tools (like Palo Alto Cortex XSOAR, Splunk Phantom, etc.) to automate incident response workflows.
• Ability to create or modify automation scripts to remediate threats and enrich alerts can significantly improve SOC efficiency. Additional Leadership Training: Participation in leadership development programs or possession of leadership-oriented certifications can be advantageous. For example, completion of management training courses or certifications in project management and IT service management (like ITIL) can help demonstrate readiness for the coordination and oversight aspects of the role